Hi All,

The problem got resolved by changing the level from require to use. As somebody has mentioned in one of the posts http://lists.freebsd.org/pipermail/freebsd-questions/2005-February/078308.html
it is a problem with ipv6 ONLY. To reiterate, my policy file is
#!/sbin/setkey -f
flush;
spdflush;
spdadd 2001:db8:0:1:20f:20ff:fefe:4c78 2001:db8:0:1:215:99ff:fe41:704c any -P in ipsec
   esp/transport//use;

spdadd 2001:db8:0:1:215:99ff:fe41:704c 2001:db8:0:1:20f:20ff:fefe:4c78 any -P out ipsec
  esp/transport//use;

Thanks a lot for you help

With Regards,
Zakir Ahmed
 
"And fear Almighty, and know that you are to meet him in the hereafter"
 


--- On Thu, 20/8/09, ZAKIR AHMED <zaks_974@yahoo.com> wrote:

From: ZAKIR AHMED <zaks_974@yahoo.com>
Subject: Re: [Ipsec-tools-devel] IPSEC ipv6 does NOT work consistently
To: "Timo Teräs" <timo.teras@iki.fi>
Cc: ipsec-tools-devel@lists.sourceforge.net
Date: Thursday, 20 August, 2009, 12:43 PM

I have compile the code for 0.7.3 version and am using the same on both of my x86 machines. I see some strange behavior

In the code flow, this is what I ideally expect

Initiator
session.c->pfkey_handler->pk_recvacquire->isakmp_postacquire->isakmp_ph1begin_i->isakmp_send->sendfromto(sendmsg)

Responder
session.c->isakmp_handler->isakmp_main->isakmp_ph1begin_r

But in case of ipv6, even the responder is taking the initiator's path and hence resulting in chicken and egg issue

Still more strange is that, this does NOT happen consistently. Sometimes, it works and sometimes NOT.

My configs are present in the same thread. Any help from anybody would be appreciated

Thanks in advance.


With Regards,
Zakir Ahmed
 
"And fear Almighty, and know that you are to meet him in the hereafter"
 


--- On Fri, 14/8/09, ZAKIR AHMED <zaks_974@yahoo.com> wrote:

From: ZAKIR AHMED <zaks_974@yahoo.com>
Subject: Re: [Ipsec-tools-devel] IPSEC ipv6 does NOT work consistently
To: "Timo Teräs" <timo.teras@iki.fi>
Cc: ipsec-tools-devel@lists.sourceforge.net
Date: Friday, 14 August, 2009, 3:20 PM

I compiled ipsec-tools-0.7.3 but to NO avail. Same problem is seen there also. I am running 0.6.4 on one machine and 0.7.3 on another. In both the directions, it gives this problem.

With Regards,
Zakir Ahmed
 
"And fear Almighty, and know that you are to meet him in the hereafter"
 


--- On Fri, 14/8/09, Timo Teräs <timo.teras@iki.fi> wrote:

From: Timo Teräs <timo.teras@iki.fi>
Subject: Re: [Ipsec-tools-devel] IPSEC ipv6 does NOT work consistently
To: "ZAKIR AHMED" <zaks_974@yahoo.com>
Cc: ipsec-tools-devel@lists.sourceforge.net
Date: Friday, 14 August, 2009, 12:57 PM

ZAKIR AHMED wrote:
>   The success and failure logs are as below
>
> Failed Case
>
> Initiator
> 2009-08-11 15:14:46: INFO: IPsec-SA request for 2001:db8:0:1:20f:20ff:fefe:4c78 queued due to no phase1 found.
> 2009-08-11 15:14:46: ERROR: unknown AF: 0
> 2009-08-11 15:14:46: INFO: initiate new phase 1 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
> 2009-08-11 15:14:46: INFO: begin Aggressive mode.
> 2009-08-11 15:14:46: INFO: respond new phase 1 negotiation: <=>2001:db8:0:1:20f:20ff:fefe:4c78[500]
> 2009-08-11 15:14:46: INFO: begin Aggressive mode.
> 2009-08-11 15:14:46: INFO: received Vendor ID: DPD
> 2009-08-11 15:14:46: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
> 2009-08-11 15:15:16: NOTIFY: the packet is retransmitted by 2001:db8:0:1:20f:20ff:fefe:4c78[500] (1).
> 2009-08-11 15:15:17: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 2001:db8:0:1:20f:20ff:fefe:4c78[0]->2001:db8:0:1:215:99ff:fe41:704c[0]
> 2009-08-11 15:15:17: INFO: delete phase 2 handler.

Looks like there's problems in the pre-shared-key look up code.
There was one IPv6 specific fix in 0.7.3 that might have fixed this.
Could you test that release? If it does not work, we'll take a look
what else could go wrong.

Or is this reproducable one direction only?

- Timo


See the Web's breaking stories, chosen by people like you. Check out Yahoo! Buzz.

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

-----Inline Attachment Follows-----

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


Yahoo! recommends that you upgrade to the new and safer Internet Explorer 8.

-----Inline Attachment Follows-----

------------------------------------------------------------------------------
Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
trial. Simplify your report design, integration and deployment - and focus on
what you do best, core application coding. Discover what's new with
Crystal Reports now.  http://p.sf.net/sfu/bobj-july

-----Inline Attachment Follows-----

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


Love Cricket? Check out live scores, photos, video highlights and more. Click here.